VPN

Материал из Artem Aleksashkin's Wiki
Перейти к навигации Перейти к поиску

Хорошая статья тут https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

EasyRSA

cd ~
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar -xzvf EasyRSA-3.0.4.tgz
cd EasyRSA-3.0.4
cp vars.example vars
nano vars

set_var EASYRSA_REQ_COUNTRY    "DE"
set_var EASYRSA_REQ_PROVINCE   "Berlin"
set_var EASYRSA_REQ_CITY       "Berlin"
set_var EASYRSA_REQ_ORG        "Aleksashkin"
set_var EASYRSA_REQ_EMAIL      "artem@aleksashkin.com"
set_var EASYRSA_REQ_OU         "Community"

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
scp dh.pem you@yoropebvpn.com:/etc/openvpn/
ssh you@yoropebvpn.com
# on openvpn
apt update
apt install openvpn 
cd /etc/openvpn/
openvpn --genkey --secret ta.key
exit
# on easyrsa
./easyrsa gen-req server1 nopass 
scp ./pki/private/server1.key you@yoropebvpn.com:/etc/openvpn/
scp ./pki/reqs/server1.req you@yoropebvpn.com:/etc/openvpn/
./easyrsa import-req ./pki/reqs/server1.req server1
./easyrsa sign-req server server1
scp ./pki/issued/server1.crt you@yoropebvpn.com:/etc/openvpn/
scp ./pki/ca.crt you@yoropebvpn.com:/etc/openvpn/
ssh you@yoropebvpn.com
# on openvpn
nano /etc/openvpn/server1.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256

# on openvpn
systemctl start openvpn@server1
systemctl status openvpn@server1
systemctl enable openvpn@server1

# add net.ipv4.ip_forward=1  to /etc/sysctl.conf
sysctl -p

Правила для IPTABLES 

# on openvpn
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE
iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP

https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent

Источник — http://wiki.aleksashkin.net/index.php?title=VPN&oldid=2257